14 DAY TRIAL // Present at the Black Hat 2013 security conference last week, ISEC Partners engineers Aaron Grattafiori and Josh Yavor demonstrated how cybercriminals could hack Samsung Smart TVs.
The duo has shown that an attacker can leverage vulnerabilities in the TVs operating system and applications to steal sensitive information and even use the integrated webcam to spy on the victim, Security Ledger reports.
While some of the flaws can only be exploited by a local attacker, others can also be leveraged remotely.
According to the experts, the devices do not have firewalls and strong authentication systems that could protect them against cyberattacks.
Yavor and Grattafiori have discovered that they can exploit many well-known web-based vulnerabilities on Samsung TVs.
They’ve been able to leverage the bugs for drive-by download attacks and DNS poisoning. They’ve demonstrated that cybercriminals can steal local user credentials, local Wi-Fi credentials, the browsing history, cookies and cache.
Even Skype accounts can be hijacked, and cybercriminals can take control and access the application program interfaces (APIs) linked to vulnerable Java apps.
The researchers reported their findings to Samsung in January. The company has taken some steps to address the problems in several models. The issues that affect the API will be fixed next year.
The Skype flaws were fixed shortly after being reported, the experts said.
The ISEC Partners engineers admit that it’s not easy to carry out the attacks they’ve presented. However, they want to warn manufacturers that building a framework on HTML and JavaScript applications comes with a risk that should not be disregarded.
This is not the first time experts find security holes in Samsung Smart TVs. Back in December 2012, ReVuln experts demonstrated that they could access sensitive information, monitor the devices and even gain complete control of them.